View Single Post
  #4   (View Single Post)  
Old 21st September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

If the outside interface is a private RFC1918 address, it simply means that you are working within a larger internal network. As such, you do not have any control over what the legitimate external address may be; it has to work as a proper member of the segment in which it exists. If you change your external interface's IP address:
  • ...to something which is still valid within the parent's segment, then you risk duplicating an address which does or will exist in that same segment. This will cause problems with everyone's ARP table entries in that segment because it is no longer true that all hosts have unique IP addresses.
  • ...to some address which is not in the parent's segment, then traffic might be able to get to its defined destination, but return traffic will be routed (rightfully) elsewhere.
These are two large reasons why you can't change the IP address of your firewall's external interface. You are truly at the mercy of your provider.
Reply With Quote